示例#1
0
/**
 * Given the full path of a file, try to find the user the file
 * corresponds to and assign him/her this file as his/her picture.
 * Make extensive checks to make sure we don't open any security holes
 * and report back any success/error.
 *
 * @param string $file the full path of the file to process
 * @param string $userfield the prefix_user table field to use to
 *               match picture files to users.
 * @param bool $overwrite overwrite existing picture or not.
 *
 * @return integer either PIX_FILE_UPDATED, PIX_FILE_ERROR or
 *                  PIX_FILE_SKIPPED
 */
function process_file($file, $userfield, $overwrite)
{
    // Add additional checks on the filenames, as they are user
    // controlled and we don't want to open any security holes.
    $path_parts = pathinfo(cleardoubleslashes($file));
    $basename = $path_parts['basename'];
    $extension = $path_parts['extension'];
    if ($basename != clean_param($basename, PARAM_CLEANFILE)) {
        // The original picture file name has invalid characters
        notify(get_string('uploadpicture_invalidfilename', 'admin', clean_param($basename, PARAM_CLEANHTML)));
        return PIX_FILE_ERROR;
    }
    // The picture file name (without extension) must match the
    // userfield attribute.
    $uservalue = substr($basename, 0, strlen($basename) - strlen($extension) - 1);
    // userfield names are safe, so don't quote them.
    if (!($user = get_record('user', $userfield, addslashes($uservalue)))) {
        $a = new Object();
        $a->userfield = clean_param($userfield, PARAM_CLEANHTML);
        $a->uservalue = clean_param($uservalue, PARAM_CLEANHTML);
        notify(get_string('uploadpicture_usernotfound', 'admin', $a));
        return PIX_FILE_ERROR;
    }
    $haspicture = get_field('user', 'picture', 'id', $user->id);
    if ($haspicture && !$overwrite) {
        notify(get_string('uploadpicture_userskipped', 'admin', $user->username));
        return PIX_FILE_SKIPPED;
    }
    if (my_save_profile_image($user->id, $file)) {
        set_field('user', 'picture', 1, 'id', $user->id);
        notify(get_string('uploadpicture_userupdated', 'admin', $user->username));
        return PIX_FILE_UPDATED;
    } else {
        notify(get_string('uploadpicture_cannotsave', 'admin', $user->username));
        return PIX_FILE_ERROR;
    }
}
示例#2
0
/**
 * Given the full path of a file, try to find the user the file
 * corresponds to and assign him/her this file as his/her picture.
 * Make extensive checks to make sure we don't open any security holes
 * and report back any success/error.
 *
 * @param string $file the full path of the file to process
 * @param string $userfield the prefix_user table field to use to
 *               match picture files to users.
 * @param bool $overwrite overwrite existing picture or not.
 *
 * @return integer either PIX_FILE_UPDATED, PIX_FILE_ERROR or
 *                  PIX_FILE_SKIPPED
 */
function process_file($file, $userfield, $overwrite)
{
    global $DB, $OUTPUT;
    // Add additional checks on the filenames, as they are user
    // controlled and we don't want to open any security holes.
    $path_parts = pathinfo(cleardoubleslashes($file));
    $basename = $path_parts['basename'];
    $extension = $path_parts['extension'];
    // The picture file name (without extension) must match the
    // userfield attribute.
    $uservalue = substr($basename, 0, strlen($basename) - strlen($extension) - 1);
    // userfield names are safe, so don't quote them.
    if (!($user = $DB->get_record('user', array($userfield => $uservalue, 'deleted' => 0)))) {
        $a = new stdClass();
        $a->userfield = clean_param($userfield, PARAM_CLEANHTML);
        $a->uservalue = clean_param($uservalue, PARAM_CLEANHTML);
        echo $OUTPUT->notification(get_string('uploadpicture_usernotfound', 'tool_uploaduser', $a));
        return PIX_FILE_ERROR;
    }
    $haspicture = $DB->get_field('user', 'picture', array('id' => $user->id));
    if ($haspicture && !$overwrite) {
        echo $OUTPUT->notification(get_string('uploadpicture_userskipped', 'tool_uploaduser', $user->username));
        return PIX_FILE_SKIPPED;
    }
    if ($newrev = my_save_profile_image($user->id, $file)) {
        $DB->set_field('user', 'picture', $newrev, array('id' => $user->id));
        echo $OUTPUT->notification(get_string('uploadpicture_userupdated', 'tool_uploaduser', $user->username), 'notifysuccess');
        return PIX_FILE_UPDATED;
    } else {
        echo $OUTPUT->notification(get_string('uploadpicture_cannotsave', 'tool_uploaduser', $user->username));
        return PIX_FILE_ERROR;
    }
}